# -*- coding: utf-8 -*-
"""
Module for handling openstack keystone calls.

:optdepends:    - keystoneclient Python adapter
:configuration: This module is not usable until the following are specified
    either in a pillar or in the minion's config file:

    .. code-block:: yaml

        keystone.user: admin
        keystone.password: verybadpass
        keystone.tenant: admin
        keystone.tenant_id: f80919baedab48ec8931f200c65a50df
        keystone.auth_url: 'http://127.0.0.1:5000/v2.0/'

    OR (for token based authentication)

    .. code-block:: yaml

        keystone.token: 'ADMIN'
        keystone.endpoint: 'http://127.0.0.1:35357/v2.0'

    If configuration for multiple openstack accounts is required, they can be
    set up as different configuration profiles. For example:

    .. code-block:: yaml

        openstack1:
          keystone.user: admin
          keystone.password: verybadpass
          keystone.tenant: admin
          keystone.tenant_id: f80919baedab48ec8931f200c65a50df
          keystone.auth_url: 'http://127.0.0.1:5000/v2.0/'

        openstack2:
          keystone.user: admin
          keystone.password: verybadpass
          keystone.tenant: admin
          keystone.tenant_id: f80919baedab48ec8931f200c65a50df
          keystone.auth_url: 'http://127.0.0.2:5000/v2.0/'

    With this configuration in place, any of the keystone functions can make use
    of a configuration profile by declaring it explicitly.
    For example:

    .. code-block:: bash

        salt '*' keystone.tenant_list profile=openstack1
"""

# Import Python libs
from __future__ import absolute_import, print_function, unicode_literals

import logging

# Import Salt Libs
import salt.utils.http

# Import 3rd-party libs
from salt.ext import six

HAS_KEYSTONE = False
try:
    # pylint: disable=import-error
    from keystoneclient.v2_0 import client
    import keystoneclient.exceptions

    HAS_KEYSTONE = True
    from keystoneclient.v3 import client as client3
    from keystoneclient import discover
    from keystoneauth1 import session
    from keystoneauth1.identity import generic

    # pylint: enable=import-error
except ImportError:
    pass

_OS_IDENTITY_API_VERSION = 2
_TENANTS = "tenants"

log = logging.getLogger(__name__)


def __virtual__():
    """
    Only load this module if keystone
    is installed on this minion.
    """
    if HAS_KEYSTONE:
        return "keystone"
    return (
        False,
        "keystone execution module cannot be loaded: keystoneclient python library not available.",
    )


__opts__ = {}


def _get_kwargs(profile=None, **connection_args):
    """
    get connection args
    """
    if profile:
        prefix = profile + ":keystone."
    else:
        prefix = "keystone."

    def get(key, default=None):
        """
        look in connection_args first, then default to config file
        """
        return connection_args.get(
            "connection_" + key, __salt__["config.get"](prefix + key, default)
        )

    user = get("user", "admin")
    password = get("password", "ADMIN")
    tenant = get("tenant", "admin")
    tenant_id = get("tenant_id")
    auth_url = get("auth_url", "http://127.0.0.1:35357/v2.0/")
    insecure = get("insecure", False)
    token = get("token")
    endpoint = get("endpoint", "http://127.0.0.1:35357/v2.0")
    user_domain_name = get("user_domain_name", "Default")
    project_domain_name = get("project_domain_name", "Default")
    if token:
        kwargs = {"token": token, "endpoint": endpoint}
    else:
        kwargs = {
            "username": user,
            "password": password,
            "tenant_name": tenant,
            "tenant_id": tenant_id,
            "auth_url": auth_url,
            "user_domain_name": user_domain_name,
            "project_domain_name": project_domain_name,
        }
        # 'insecure' keyword not supported by all v2.0 keystone clients
        #   this ensures it's only passed in when defined
        if insecure:
            kwargs["insecure"] = True
    return kwargs


def api_version(profile=None, **connection_args):
    """
    Returns the API version derived from endpoint's response.

    CLI Example:

    .. code-block:: bash

        salt '*' keystone.api_version
    """
    kwargs = _get_kwargs(profile=profile, **connection_args)
    auth_url = kwargs.get("auth_url", kwargs.get("endpoint", None))
    try:
        return salt.utils.http.query(
            auth_url, decode=True, decode_type="json", verify_ssl=False
        )["dict"]["version"]["id"]
    except KeyError:
        return None


def auth(profile=None, **connection_args):
    """
    Set up keystone credentials. Only intended to be used within Keystone-enabled modules.

    CLI Example:

    .. code-block:: bash

        salt '*' keystone.auth
    """
    __utils__["versions.warn_until"](
        "Sodium",
        (
            "The keystone module has been deprecated and will be removed in {version}.  "
            "Please update to using the keystoneng module"
        ),
    )
    kwargs = _get_kwargs(profile=profile, **connection_args)

    disc = discover.Discover(auth_url=kwargs["auth_url"])
    v2_auth_url = disc.url_for("v2.0")
    v3_auth_url = disc.url_for("v3.0")
    if v3_auth_url:
        global _OS_IDENTITY_API_VERSION
        global _TENANTS
        _OS_IDENTITY_API_VERSION = 3
        _TENANTS = "projects"
        kwargs["auth_url"] = v3_auth_url
    else:
        kwargs["auth_url"] = v2_auth_url
        kwargs.pop("user_domain_name")
        kwargs.pop("project_domain_name")
    auth = generic.Password(**kwargs)
    sess = session.Session(auth=auth)
    ks_cl = disc.create_client(session=sess)
    return ks_cl


def ec2_credentials_create(
    user_id=None,
    name=None,
    tenant_id=None,
    tenant=None,
    profile=None,
    **connection_args
):
    """
    Create EC2-compatible credentials for user per tenant

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.ec2_credentials_create name=admin tenant=admin

        salt '*' keystone.ec2_credentials_create \
        user_id=c965f79c4f864eaaa9c3b41904e67082 \
        tenant_id=722787eb540849158668370dc627ec5f
    """
    kstone = auth(profile, **connection_args)

    if name:
        user_id = user_get(name=name, profile=profile, **connection_args)[name]["id"]
    if not user_id:
        return {"Error": "Could not resolve User ID"}

    if tenant:
        tenant_id = tenant_get(name=tenant, profile=profile, **connection_args)[tenant][
            "id"
        ]
    if not tenant_id:
        return {"Error": "Could not resolve Tenant ID"}

    newec2 = kstone.ec2.create(user_id, tenant_id)
    return {
        "access": newec2.access,
        "secret": newec2.secret,
        "tenant_id": newec2.tenant_id,
        "user_id": newec2.user_id,
    }


def ec2_credentials_delete(
    user_id=None, name=None, access_key=None, profile=None, **connection_args
):
    """
    Delete EC2-compatible credentials

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.ec2_credentials_delete \
        860f8c2c38ca4fab989f9bc56a061a64 access_key=5f66d2f24f604b8bb9cd28886106f442

        salt '*' keystone.ec2_credentials_delete name=admin \
        access_key=5f66d2f24f604b8bb9cd28886106f442
    """
    kstone = auth(profile, **connection_args)

    if name:
        user_id = user_get(name=name, profile=None, **connection_args)[name]["id"]
    if not user_id:
        return {"Error": "Could not resolve User ID"}
    kstone.ec2.delete(user_id, access_key)
    return 'ec2 key "{0}" deleted under user id "{1}"'.format(access_key, user_id)


def ec2_credentials_get(
    user_id=None, name=None, access=None, profile=None, **connection_args
):
    """
    Return ec2_credentials for a user (keystone ec2-credentials-get)

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.ec2_credentials_get c965f79c4f864eaaa9c3b41904e67082 access=722787eb540849158668370
        salt '*' keystone.ec2_credentials_get user_id=c965f79c4f864eaaa9c3b41904e67082 access=722787eb540849158668370
        salt '*' keystone.ec2_credentials_get name=nova access=722787eb540849158668370dc627ec5f
    """
    kstone = auth(profile, **connection_args)
    ret = {}
    if name:
        for user in kstone.users.list():
            if user.name == name:
                user_id = user.id
                break
    if not user_id:
        return {"Error": "Unable to resolve user id"}
    if not access:
        return {"Error": "Access key is required"}
    ec2_credentials = kstone.ec2.get(
        user_id=user_id, access=access, profile=profile, **connection_args
    )
    ret[ec2_credentials.user_id] = {
        "user_id": ec2_credentials.user_id,
        "tenant": ec2_credentials.tenant_id,
        "access": ec2_credentials.access,
        "secret": ec2_credentials.secret,
    }
    return ret


def ec2_credentials_list(user_id=None, name=None, profile=None, **connection_args):
    """
    Return a list of ec2_credentials for a specific user (keystone ec2-credentials-list)

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.ec2_credentials_list 298ce377245c4ec9b70e1c639c89e654
        salt '*' keystone.ec2_credentials_list user_id=298ce377245c4ec9b70e1c639c89e654
        salt '*' keystone.ec2_credentials_list name=jack
    """
    kstone = auth(profile, **connection_args)
    ret = {}
    if name:
        for user in kstone.users.list():
            if user.name == name:
                user_id = user.id
                break
    if not user_id:
        return {"Error": "Unable to resolve user id"}
    for ec2_credential in kstone.ec2.list(user_id):
        ret[ec2_credential.user_id] = {
            "user_id": ec2_credential.user_id,
            "tenant_id": ec2_credential.tenant_id,
            "access": ec2_credential.access,
            "secret": ec2_credential.secret,
        }
    return ret


def endpoint_get(service, region=None, profile=None, interface=None, **connection_args):
    """
    Return a specific endpoint (keystone endpoint-get)

    CLI Example:

    .. code-block:: bash

        salt 'v2' keystone.endpoint_get nova [region=RegionOne]

        salt 'v3' keystone.endpoint_get nova interface=admin [region=RegionOne]
    """
    auth(profile, **connection_args)
    services = service_list(profile, **connection_args)
    if service not in services:
        return {"Error": "Could not find the specified service"}
    service_id = services[service]["id"]
    endpoints = endpoint_list(profile, **connection_args)

    e = [
        _f
        for _f in [
            e
            if e["service_id"] == service_id
            and (e["region"] == region if region else True)
            and (e["interface"] == interface if interface else True)
            else None
            for e in endpoints.values()
        ]
        if _f
    ]
    if len(e) > 1:
        return {
            "Error": "Multiple endpoints found ({0}) for the {1} service. Please specify region.".format(
                e, service
            )
        }
    if len(e) == 1:
        return e[0]
    return {"Error": "Could not find endpoint for the specified service"}


def endpoint_list(profile=None, **connection_args):
    """
    Return a list of available endpoints (keystone endpoints-list)

    CLI Example:

    .. code-block:: bash

        salt '*' keystone.endpoint_list
    """
    kstone = auth(profile, **connection_args)
    ret = {}

    for endpoint in kstone.endpoints.list():
        ret[endpoint.id] = dict(
            (value, getattr(endpoint, value))
            for value in dir(endpoint)
            if not value.startswith("_")
            and isinstance(getattr(endpoint, value), (six.string_types, dict, bool))
        )
    return ret


def endpoint_create(
    service,
    publicurl=None,
    internalurl=None,
    adminurl=None,
    region=None,
    profile=None,
    url=None,
    interface=None,
    **connection_args
):
    """
    Create an endpoint for an Openstack service

    CLI Examples:

    .. code-block:: bash

        salt 'v2' keystone.endpoint_create nova 'http://public/url' 'http://internal/url' 'http://adminurl/url' region

        salt 'v3' keystone.endpoint_create nova url='http://public/url' interface='public' region='RegionOne'
    """
    kstone = auth(profile, **connection_args)
    keystone_service = service_get(name=service, profile=profile, **connection_args)
    if not keystone_service or "Error" in keystone_service:
        return {"Error": "Could not find the specified service"}

    if _OS_IDENTITY_API_VERSION > 2:
        kstone.endpoints.create(
            service=keystone_service[service]["id"],
            region_id=region,
            url=url,
            interface=interface,
        )
    else:
        kstone.endpoints.create(
            region=region,
            service_id=keystone_service[service]["id"],
            publicurl=publicurl,
            adminurl=adminurl,
            internalurl=internalurl,
        )
    return endpoint_get(service, region, profile, interface, **connection_args)


def endpoint_delete(
    service, region=None, profile=None, interface=None, **connection_args
):
    """
    Delete endpoints of an Openstack service

    CLI Examples:

    .. code-block:: bash

        salt 'v2' keystone.endpoint_delete nova [region=RegionOne]

        salt 'v3' keystone.endpoint_delete nova interface=admin [region=RegionOne]
    """
    kstone = auth(profile, **connection_args)
    endpoint = endpoint_get(service, region, profile, interface, **connection_args)
    if not endpoint or "Error" in endpoint:
        return {"Error": "Could not find any endpoints for the service"}
    kstone.endpoints.delete(endpoint["id"])
    endpoint = endpoint_get(service, region, profile, interface, **connection_args)
    if not endpoint or "Error" in endpoint:
        return True


def role_create(name, profile=None, **connection_args):
    """
    Create a named role.

    CLI Example:

    .. code-block:: bash

        salt '*' keystone.role_create admin
    """

    kstone = auth(profile, **connection_args)
    if "Error" not in role_get(name=name, profile=profile, **connection_args):
        return {"Error": 'Role "{0}" already exists'.format(name)}
    kstone.roles.create(name)
    return role_get(name=name, profile=profile, **connection_args)


def role_delete(role_id=None, name=None, profile=None, **connection_args):
    """
    Delete a role (keystone role-delete)


    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.role_delete c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.role_delete role_id=c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.role_delete name=admin
    """
    kstone = auth(profile, **connection_args)

    if name:
        for role in kstone.roles.list():
            if role.name == name:
                role_id = role.id
                break
    if not role_id:
        return {"Error": "Unable to resolve role id"}

    role = kstone.roles.get(role_id)
    kstone.roles.delete(role)

    ret = "Role ID {0} deleted".format(role_id)
    if name:
        ret += " ({0})".format(name)
    return ret


def role_get(role_id=None, name=None, profile=None, **connection_args):
    """
    Return a specific roles (keystone role-get)

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.role_get c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.role_get role_id=c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.role_get name=nova
    """
    kstone = auth(profile, **connection_args)
    ret = {}
    if name:
        for role in kstone.roles.list():
            if role.name == name:
                role_id = role.id
                break
    if not role_id:
        return {"Error": "Unable to resolve role id"}
    role = kstone.roles.get(role_id)

    ret[role.name] = {"id": role.id, "name": role.name}
    return ret


def role_list(profile=None, **connection_args):
    """
    Return a list of available roles (keystone role-list)

    CLI Example:

    .. code-block:: bash

        salt '*' keystone.role_list
    """
    kstone = auth(profile, **connection_args)
    ret = {}
    for role in kstone.roles.list():
        ret[role.name] = dict(
            (value, getattr(role, value))
            for value in dir(role)
            if not value.startswith("_")
            and isinstance(getattr(role, value), (six.string_types, dict, bool))
        )
    return ret


def service_create(
    name, service_type, description=None, profile=None, **connection_args
):
    """
    Add service to Keystone service catalog

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.service_create nova compute \
'OpenStack Compute Service'
    """
    kstone = auth(profile, **connection_args)
    service = kstone.services.create(name, service_type, description=description)
    return service_get(service.id, profile=profile, **connection_args)


def service_delete(service_id=None, name=None, profile=None, **connection_args):
    """
    Delete a service from Keystone service catalog

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.service_delete c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.service_delete name=nova
    """
    kstone = auth(profile, **connection_args)
    if name:
        service_id = service_get(name=name, profile=profile, **connection_args)[name][
            "id"
        ]
    kstone.services.delete(service_id)
    return 'Keystone service ID "{0}" deleted'.format(service_id)


def service_get(service_id=None, name=None, profile=None, **connection_args):
    """
    Return a specific services (keystone service-get)

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.service_get c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.service_get service_id=c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.service_get name=nova
    """
    kstone = auth(profile, **connection_args)
    ret = {}
    if name:
        for service in kstone.services.list():
            if service.name == name:
                service_id = service.id
                break
    if not service_id:
        return {"Error": "Unable to resolve service id"}
    service = kstone.services.get(service_id)
    ret[service.name] = dict(
        (value, getattr(service, value))
        for value in dir(service)
        if not value.startswith("_")
        and isinstance(getattr(service, value), (six.string_types, dict, bool))
    )
    return ret


def service_list(profile=None, **connection_args):
    """
    Return a list of available services (keystone services-list)

    CLI Example:

    .. code-block:: bash

        salt '*' keystone.service_list
    """
    kstone = auth(profile, **connection_args)
    ret = {}
    for service in kstone.services.list():
        ret[service.name] = dict(
            (value, getattr(service, value))
            for value in dir(service)
            if not value.startswith("_")
            and isinstance(getattr(service, value), (six.string_types, dict, bool))
        )
    return ret


def tenant_create(
    name, description=None, enabled=True, profile=None, **connection_args
):
    """
    Create a keystone tenant

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.tenant_create nova description='nova tenant'
        salt '*' keystone.tenant_create test enabled=False
    """
    kstone = auth(profile, **connection_args)
    new = getattr(kstone, _TENANTS, None).create(name, description, enabled)
    return tenant_get(new.id, profile=profile, **connection_args)


def project_create(
    name, domain, description=None, enabled=True, profile=None, **connection_args
):
    """
    Create a keystone project.
    Overrides keystone tenant_create form api V2. For keystone api V3.

    .. versionadded:: 2016.11.0

    name
        The project name, which must be unique within the owning domain.

    domain
        The domain name.

    description
        The project description.

    enabled
        Enables or disables the project.

    profile
        Configuration profile - if configuration for multiple openstack accounts required.

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.project_create nova default description='Nova Compute Project'
        salt '*' keystone.project_create test default enabled=False
    """
    kstone = auth(profile, **connection_args)
    new = getattr(kstone, _TENANTS, None).create(
        name=name, domain=domain, description=description, enabled=enabled
    )
    return tenant_get(new.id, profile=profile, **connection_args)


def tenant_delete(tenant_id=None, name=None, profile=None, **connection_args):
    """
    Delete a tenant (keystone tenant-delete)

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.tenant_delete c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.tenant_delete tenant_id=c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.tenant_delete name=demo
    """
    kstone = auth(profile, **connection_args)
    if name:
        for tenant in getattr(kstone, _TENANTS, None).list():
            if tenant.name == name:
                tenant_id = tenant.id
                break
    if not tenant_id:
        return {"Error": "Unable to resolve tenant id"}
    getattr(kstone, _TENANTS, None).delete(tenant_id)
    ret = "Tenant ID {0} deleted".format(tenant_id)
    if name:

        ret += " ({0})".format(name)
    return ret


def project_delete(project_id=None, name=None, profile=None, **connection_args):
    """
    Delete a project (keystone project-delete).
    Overrides keystone tenant-delete form api V2. For keystone api V3 only.

    .. versionadded:: 2016.11.0

    project_id
        The project id.

    name
        The project name.

    profile
        Configuration profile - if configuration for multiple openstack accounts required.

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.project_delete c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.project_delete project_id=c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.project_delete name=demo
    """
    auth(profile, **connection_args)

    if _OS_IDENTITY_API_VERSION > 2:
        return tenant_delete(
            tenant_id=project_id, name=name, profile=None, **connection_args
        )
    else:
        return False


def tenant_get(tenant_id=None, name=None, profile=None, **connection_args):
    """
    Return a specific tenants (keystone tenant-get)

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.tenant_get c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.tenant_get tenant_id=c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.tenant_get name=nova
    """
    kstone = auth(profile, **connection_args)
    ret = {}

    if name:
        for tenant in getattr(kstone, _TENANTS, None).list():
            if tenant.name == name:
                tenant_id = tenant.id
                break
    if not tenant_id:
        return {"Error": "Unable to resolve tenant id"}
    tenant = getattr(kstone, _TENANTS, None).get(tenant_id)
    ret[tenant.name] = dict(
        (value, getattr(tenant, value))
        for value in dir(tenant)
        if not value.startswith("_")
        and isinstance(getattr(tenant, value), (six.string_types, dict, bool))
    )
    return ret


def project_get(project_id=None, name=None, profile=None, **connection_args):
    """
    Return a specific projects (keystone project-get)
    Overrides keystone tenant-get form api V2.
    For keystone api V3 only.

    .. versionadded:: 2016.11.0

    project_id
        The project id.

    name
        The project name.

    profile
        Configuration profile - if configuration for multiple openstack accounts required.

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.project_get c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.project_get project_id=c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.project_get name=nova
    """
    auth(profile, **connection_args)

    if _OS_IDENTITY_API_VERSION > 2:
        return tenant_get(
            tenant_id=project_id, name=name, profile=None, **connection_args
        )
    else:
        return False


def tenant_list(profile=None, **connection_args):
    """
    Return a list of available tenants (keystone tenants-list)

    CLI Example:

    .. code-block:: bash

        salt '*' keystone.tenant_list
    """
    kstone = auth(profile, **connection_args)
    ret = {}

    for tenant in getattr(kstone, _TENANTS, None).list():
        ret[tenant.name] = dict(
            (value, getattr(tenant, value))
            for value in dir(tenant)
            if not value.startswith("_")
            and isinstance(getattr(tenant, value), (six.string_types, dict, bool))
        )
    return ret


def project_list(profile=None, **connection_args):
    """
    Return a list of available projects (keystone projects-list).
    Overrides keystone tenants-list form api V2.
    For keystone api V3 only.

    .. versionadded:: 2016.11.0

    profile
        Configuration profile - if configuration for multiple openstack accounts required.

    CLI Example:

    .. code-block:: bash

        salt '*' keystone.project_list
    """
    auth(profile, **connection_args)

    if _OS_IDENTITY_API_VERSION > 2:
        return tenant_list(profile, **connection_args)
    else:
        return False


def tenant_update(
    tenant_id=None,
    name=None,
    description=None,
    enabled=None,
    profile=None,
    **connection_args
):
    """
    Update a tenant's information (keystone tenant-update)
    The following fields may be updated: name, description, enabled.
    Can only update name if targeting by ID

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.tenant_update name=admin enabled=True
        salt '*' keystone.tenant_update c965f79c4f864eaaa9c3b41904e67082 name=admin email=admin@domain.com
    """
    kstone = auth(profile, **connection_args)

    if not tenant_id:
        for tenant in getattr(kstone, _TENANTS, None).list():
            if tenant.name == name:
                tenant_id = tenant.id
                break
    if not tenant_id:
        return {"Error": "Unable to resolve tenant id"}

    tenant = getattr(kstone, _TENANTS, None).get(tenant_id)
    if not name:
        name = tenant.name
    if not description:
        description = tenant.description
    if enabled is None:
        enabled = tenant.enabled
    updated = getattr(kstone, _TENANTS, None).update(
        tenant_id, name=name, description=description, enabled=enabled
    )

    return dict(
        (value, getattr(updated, value))
        for value in dir(updated)
        if not value.startswith("_")
        and isinstance(getattr(updated, value), (six.string_types, dict, bool))
    )


def project_update(
    project_id=None,
    name=None,
    description=None,
    enabled=None,
    profile=None,
    **connection_args
):
    """
    Update a tenant's information (keystone project-update)
    The following fields may be updated: name, description, enabled.
    Can only update name if targeting by ID

    Overrides keystone tenant_update form api V2.
    For keystone api V3 only.

    .. versionadded:: 2016.11.0

    project_id
        The project id.

    name
        The project name, which must be unique within the owning domain.

    description
        The project description.

    enabled
        Enables or disables the project.

    profile
        Configuration profile - if configuration for multiple openstack accounts required.

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.project_update name=admin enabled=True
        salt '*' keystone.project_update c965f79c4f864eaaa9c3b41904e67082 name=admin email=admin@domain.com
    """
    auth(profile, **connection_args)

    if _OS_IDENTITY_API_VERSION > 2:
        return tenant_update(
            tenant_id=project_id,
            name=name,
            description=description,
            enabled=enabled,
            profile=profile,
            **connection_args
        )
    else:
        return False


def token_get(profile=None, **connection_args):
    """
    Return the configured tokens (keystone token-get)

    CLI Example:

    .. code-block:: bash

        salt '*' keystone.token_get c965f79c4f864eaaa9c3b41904e67082
    """
    kstone = auth(profile, **connection_args)
    token = kstone.service_catalog.get_token()
    return {
        "id": token["id"],
        "expires": token["expires"],
        "user_id": token["user_id"],
        "tenant_id": token["tenant_id"],
    }


def user_list(profile=None, **connection_args):
    """
    Return a list of available users (keystone user-list)

    CLI Example:

    .. code-block:: bash

        salt '*' keystone.user_list
    """
    kstone = auth(profile, **connection_args)
    ret = {}
    for user in kstone.users.list():
        ret[user.name] = dict(
            (value, getattr(user, value, None))
            for value in dir(user)
            if not value.startswith("_")
            and isinstance(getattr(user, value, None), (six.string_types, dict, bool))
        )
        tenant_id = getattr(user, "tenantId", None)
        if tenant_id:
            ret[user.name]["tenant_id"] = tenant_id
    return ret


def user_get(user_id=None, name=None, profile=None, **connection_args):
    """
    Return a specific users (keystone user-get)

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.user_get c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.user_get user_id=c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.user_get name=nova
    """
    kstone = auth(profile, **connection_args)
    ret = {}
    if name:
        for user in kstone.users.list():
            if user.name == name:
                user_id = user.id
                break
    if not user_id:
        return {"Error": "Unable to resolve user id"}
    try:
        user = kstone.users.get(user_id)
    except keystoneclient.exceptions.NotFound:
        msg = "Could not find user '{0}'".format(user_id)
        log.error(msg)
        return {"Error": msg}

    ret[user.name] = dict(
        (value, getattr(user, value, None))
        for value in dir(user)
        if not value.startswith("_")
        and isinstance(getattr(user, value, None), (six.string_types, dict, bool))
    )

    tenant_id = getattr(user, "tenantId", None)
    if tenant_id:
        ret[user.name]["tenant_id"] = tenant_id
    return ret


def user_create(
    name,
    password,
    email,
    tenant_id=None,
    enabled=True,
    profile=None,
    project_id=None,
    description=None,
    **connection_args
):
    """
    Create a user (keystone user-create)

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.user_create name=jack password=zero email=jack@halloweentown.org \
        tenant_id=a28a7b5a999a455f84b1f5210264375e enabled=True
    """
    kstone = auth(profile, **connection_args)

    if _OS_IDENTITY_API_VERSION > 2:
        if tenant_id and not project_id:
            project_id = tenant_id
        item = kstone.users.create(
            name=name,
            password=password,
            email=email,
            project_id=project_id,
            enabled=enabled,
            description=description,
        )
    else:
        item = kstone.users.create(
            name=name,
            password=password,
            email=email,
            tenant_id=tenant_id,
            enabled=enabled,
        )
    return user_get(item.id, profile=profile, **connection_args)


def user_delete(user_id=None, name=None, profile=None, **connection_args):
    """
    Delete a user (keystone user-delete)

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.user_delete c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.user_delete user_id=c965f79c4f864eaaa9c3b41904e67082
        salt '*' keystone.user_delete name=nova
    """
    kstone = auth(profile, **connection_args)
    if name:
        for user in kstone.users.list():
            if user.name == name:
                user_id = user.id
                break
    if not user_id:
        return {"Error": "Unable to resolve user id"}
    kstone.users.delete(user_id)
    ret = "User ID {0} deleted".format(user_id)
    if name:

        ret += " ({0})".format(name)
    return ret


def user_update(
    user_id=None,
    name=None,
    email=None,
    enabled=None,
    tenant=None,
    profile=None,
    project=None,
    description=None,
    **connection_args
):
    """
    Update a user's information (keystone user-update)
    The following fields may be updated: name, email, enabled, tenant.
    Because the name is one of the fields, a valid user id is required.

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.user_update user_id=c965f79c4f864eaaa9c3b41904e67082 name=newname
        salt '*' keystone.user_update c965f79c4f864eaaa9c3b41904e67082 name=newname email=newemail@domain.com
    """
    kstone = auth(profile, **connection_args)
    if not user_id:
        for user in kstone.users.list():
            if user.name == name:
                user_id = user.id
                break
        if not user_id:
            return {"Error": "Unable to resolve user id"}
    user = kstone.users.get(user_id)
    # Keep previous settings if not updating them
    if not name:
        name = user.name
    if not email:
        email = user.email
    if enabled is None:
        enabled = user.enabled

    if _OS_IDENTITY_API_VERSION > 2:
        if description is None:
            description = getattr(user, "description", None)
        else:
            description = six.text_type(description)

        project_id = None
        if project:
            for proj in kstone.projects.list():
                if proj.name == project:
                    project_id = proj.id
                    break
        if not project_id:
            project_id = getattr(user, "project_id", None)

        kstone.users.update(
            user=user_id,
            name=name,
            email=email,
            enabled=enabled,
            description=description,
            project_id=project_id,
        )
    else:
        kstone.users.update(user=user_id, name=name, email=email, enabled=enabled)

        tenant_id = None
        if tenant:
            for tnt in kstone.tenants.list():
                if tnt.name == tenant:
                    tenant_id = tnt.id
                    break
            if tenant_id:
                kstone.users.update_tenant(user_id, tenant_id)

    ret = "Info updated for user ID {0}".format(user_id)
    return ret


def user_verify_password(
    user_id=None, name=None, password=None, profile=None, **connection_args
):
    """
    Verify a user's password

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.user_verify_password name=test password=foobar
        salt '*' keystone.user_verify_password user_id=c965f79c4f864eaaa9c3b41904e67082 password=foobar
    """
    kstone = auth(profile, **connection_args)
    if "connection_endpoint" in connection_args:
        auth_url = connection_args.get("connection_endpoint")
    else:
        if _OS_IDENTITY_API_VERSION > 2:
            auth_url = __salt__["config.option"](
                "keystone.endpoint", "http://127.0.0.1:35357/v3"
            )
        else:
            auth_url = __salt__["config.option"](
                "keystone.endpoint", "http://127.0.0.1:35357/v2.0"
            )

    if user_id:
        for user in kstone.users.list():
            if user.id == user_id:
                name = user.name
                break
    if not name:
        return {"Error": "Unable to resolve user name"}
    kwargs = {"username": name, "password": password, "auth_url": auth_url}
    try:
        if _OS_IDENTITY_API_VERSION > 2:
            client3.Client(**kwargs)
        else:
            client.Client(**kwargs)
    except (
        keystoneclient.exceptions.Unauthorized,
        keystoneclient.exceptions.AuthorizationFailure,
    ):
        return False
    return True


def user_password_update(
    user_id=None, name=None, password=None, profile=None, **connection_args
):
    """
    Update a user's password (keystone user-password-update)

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.user_password_update c965f79c4f864eaaa9c3b41904e67082 password=12345
        salt '*' keystone.user_password_update user_id=c965f79c4f864eaaa9c3b41904e67082 password=12345
        salt '*' keystone.user_password_update name=nova password=12345
    """
    kstone = auth(profile, **connection_args)
    if name:
        for user in kstone.users.list():
            if user.name == name:
                user_id = user.id
                break
    if not user_id:
        return {"Error": "Unable to resolve user id"}

    if _OS_IDENTITY_API_VERSION > 2:
        kstone.users.update(user=user_id, password=password)
    else:
        kstone.users.update_password(user=user_id, password=password)
    ret = "Password updated for user ID {0}".format(user_id)
    if name:
        ret += " ({0})".format(name)
    return ret


def user_role_add(
    user_id=None,
    user=None,
    tenant_id=None,
    tenant=None,
    role_id=None,
    role=None,
    profile=None,
    project_id=None,
    project_name=None,
    **connection_args
):
    """
    Add role for user in tenant (keystone user-role-add)

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.user_role_add \
user_id=298ce377245c4ec9b70e1c639c89e654 \
tenant_id=7167a092ece84bae8cead4bf9d15bb3b \
role_id=ce377245c4ec9b70e1c639c89e8cead4
        salt '*' keystone.user_role_add user=admin tenant=admin role=admin
    """
    kstone = auth(profile, **connection_args)

    if project_id and not tenant_id:
        tenant_id = project_id
    elif project_name and not tenant:
        tenant = project_name

    if user:
        user_id = user_get(name=user, profile=profile, **connection_args)[user].get(
            "id"
        )
    else:
        user = next(
            six.iterkeys(user_get(user_id, profile=profile, **connection_args))
        )["name"]
    if not user_id:
        return {"Error": "Unable to resolve user id"}

    if tenant:
        tenant_id = tenant_get(name=tenant, profile=profile, **connection_args)[
            tenant
        ].get("id")
    else:
        tenant = next(
            six.iterkeys(tenant_get(tenant_id, profile=profile, **connection_args))
        )["name"]
    if not tenant_id:
        return {"Error": "Unable to resolve tenant/project id"}

    if role:
        role_id = role_get(name=role, profile=profile, **connection_args)[role]["id"]
    else:
        role = next(
            six.iterkeys(role_get(role_id, profile=profile, **connection_args))
        )["name"]
    if not role_id:
        return {"Error": "Unable to resolve role id"}

    if _OS_IDENTITY_API_VERSION > 2:
        kstone.roles.grant(role_id, user=user_id, project=tenant_id)
    else:
        kstone.roles.add_user_role(user_id, role_id, tenant_id)
    ret_msg = '"{0}" role added for user "{1}" for "{2}" tenant/project'
    return ret_msg.format(role, user, tenant)


def user_role_remove(
    user_id=None,
    user=None,
    tenant_id=None,
    tenant=None,
    role_id=None,
    role=None,
    profile=None,
    project_id=None,
    project_name=None,
    **connection_args
):
    """
    Remove role for user in tenant (keystone user-role-remove)

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.user_role_remove \
user_id=298ce377245c4ec9b70e1c639c89e654 \
tenant_id=7167a092ece84bae8cead4bf9d15bb3b \
role_id=ce377245c4ec9b70e1c639c89e8cead4
        salt '*' keystone.user_role_remove user=admin tenant=admin role=admin
    """
    kstone = auth(profile, **connection_args)

    if project_id and not tenant_id:
        tenant_id = project_id
    elif project_name and not tenant:
        tenant = project_name

    if user:
        user_id = user_get(name=user, profile=profile, **connection_args)[user].get(
            "id"
        )
    else:
        user = next(
            six.iterkeys(user_get(user_id, profile=profile, **connection_args))
        )["name"]
    if not user_id:
        return {"Error": "Unable to resolve user id"}

    if tenant:
        tenant_id = tenant_get(name=tenant, profile=profile, **connection_args)[
            tenant
        ].get("id")
    else:
        tenant = next(
            six.iterkeys(tenant_get(tenant_id, profile=profile, **connection_args))
        )["name"]
    if not tenant_id:
        return {"Error": "Unable to resolve tenant/project id"}

    if role:
        role_id = role_get(name=role, profile=profile, **connection_args)[role]["id"]
    else:
        role = next(six.iterkeys(role_get(role_id)))["name"]
    if not role_id:
        return {"Error": "Unable to resolve role id"}

    if _OS_IDENTITY_API_VERSION > 2:
        kstone.roles.revoke(role_id, user=user_id, project=tenant_id)
    else:
        kstone.roles.remove_user_role(user_id, role_id, tenant_id)
    ret_msg = '"{0}" role removed for user "{1}" under "{2}" tenant'
    return ret_msg.format(role, user, tenant)


def user_role_list(
    user_id=None,
    tenant_id=None,
    user_name=None,
    tenant_name=None,
    profile=None,
    project_id=None,
    project_name=None,
    **connection_args
):
    """
    Return a list of available user_roles (keystone user-roles-list)

    CLI Examples:

    .. code-block:: bash

        salt '*' keystone.user_role_list \
user_id=298ce377245c4ec9b70e1c639c89e654 \
tenant_id=7167a092ece84bae8cead4bf9d15bb3b
        salt '*' keystone.user_role_list user_name=admin tenant_name=admin
    """
    kstone = auth(profile, **connection_args)
    ret = {}

    if project_id and not tenant_id:
        tenant_id = project_id
    elif project_name and not tenant_name:
        tenant_name = project_name

    if user_name:
        for user in kstone.users.list():
            if user.name == user_name:
                user_id = user.id
                break
    if tenant_name:
        for tenant in getattr(kstone, _TENANTS, None).list():
            if tenant.name == tenant_name:
                tenant_id = tenant.id
                break
    if not user_id or not tenant_id:
        return {"Error": "Unable to resolve user or tenant/project id"}

    if _OS_IDENTITY_API_VERSION > 2:
        for role in kstone.roles.list(user=user_id, project=tenant_id):
            ret[role.name] = dict(
                (value, getattr(role, value))
                for value in dir(role)
                if not value.startswith("_")
                and isinstance(getattr(role, value), (six.string_types, dict, bool))
            )
    else:
        for role in kstone.roles.roles_for_user(user=user_id, tenant=tenant_id):
            ret[role.name] = {
                "id": role.id,
                "name": role.name,
                "user_id": user_id,
                "tenant_id": tenant_id,
            }
    return ret


def _item_list(profile=None, **connection_args):
    """
    Template for writing list functions
    Return a list of available items (keystone items-list)

    CLI Example:

    .. code-block:: bash

        salt '*' keystone.item_list
    """
    kstone = auth(profile, **connection_args)
    ret = []
    for item in kstone.items.list():
        ret.append(item.__dict__)
        # ret[item.name] = {
        #         'id': item.id,
        #         'name': item.name,
        #         }
    return ret

    # The following is a list of functions that need to be incorporated in the
    # keystone module. This list should be updated as functions are added.
    #
    # endpoint-create     Create a new endpoint associated with a service
    # endpoint-delete     Delete a service endpoint
    # discover            Discover Keystone servers and show authentication
    #                     protocols and
    # bootstrap           Grants a new role to a new user on a new tenant, after
    #                     creating each.
